Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Remote Access to company mail

Posted on 2004-09-13
11
Medium Priority
?
1,236 Views
Last Modified: 2011-09-20
Hello,

I have a problem.  My company has an internal Exchange 2003 Server, running on Windows 2003 SBS.  This Exchange Server downloads mail from our webhost, and therefore does not directly receive mail for our domain.  All mail forwarded to my email address first goes to our webhost, then our Exchange Server get is from there and distributes it accordingly.

I need to get remote access to my mail by the most secure means possible.  We have a current network administrator that is paranoid about publishing internal resources onto the web, yet we NEED to get our mail remotely.

I have done ALOT of reading on this topic, and have decided to use MS ISA Server and Outlook Web Access (OWA) to facilitate access to the internal mail.  That way, we will be able to log on from anywhere with an internet connection, and view our existing archive of mail.

This poses several problems (and questions) however.

Internet Connection - our internet connection is a home user ADSL type plan, with a dynamic IP address.  The DSL line comes into our building and plugs straight into a 4 port DSL modem/router.  Our server is then run off the router, as well as all our client machines.  We do not have any dedicated hardware firewall devices.  We are solely relying on the NAT firewall that is in our router.  We have no DNS name mapped to any internal resources, our webhost host all mail and web content.

What would be the best way to get remote access to our OWA Mail?  I can currently type SERVERNAME\EXCHANGE into internet explorer and get the OWA successfully.  Our next step is to SECURELY publish this to make it accessible to the internet.  Can anyone please give me an idea on wha the best way would be to configure ISA Server to allow secure remote access to the webmail?

Thankyou,

Dean.
0
Comment
Question by:aktivemofo
11 Comments
 
LVL 16

Accepted Solution

by:
The--Captain earned 400 total points
ID: 12041752
Is there some reason why you cannot just pull your mail from the same place the exchange server gets it via some sort of webmail gateway?  

Hosting externally visible internet services on a dynamic IP is ill-advised, although some folks can't seem to live without it - to that end, folks like those at http://www.dyndns.org/ are there to fill the void.  

>I can currently type SERVERNAME\EXCHANGE into internet explorer and get the OWA successfully

Hmmm - that sounds like something that is unlikely to work outside the LAN - are there any secure webmail clients (ie use https) that you can install on your exchange server?  

Cheers,
-Jon
0
 
LVL 7

Assisted Solution

by:gnegrota
gnegrota earned 400 total points
ID: 12041844
OWA does have the HTTPS access mode, the problem is that this type of connection is unsafe in any case if you are not using a 'real' firewall. The 'best' way is to set a VPN ( con IPSec, for ex.) access in your network and from there to access OWA in HTTPS and firewall all other things . Check your router capabilities about VPN access .
For 'detect' the IP of your connection, use the sug. of The--Captain !
0
 
LVL 5

Assisted Solution

by:ITcrow
ITcrow earned 400 total points
ID: 12041989

Connect using VPN
Outlook Web Access to access emails.

Since your company has dynamic IP address, follow Jon's suggestion and go to
http://www.dyndns.org for a work-around.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 9

Assisted Solution

by:cooledit
cooledit earned 400 total points
ID: 12042029
hi, there

You mentioned remote clients gets a Dynamic IP from the provider ? right.

If you splitted the network into 3 subnets

1 for the internal users
1 for the Excchange server DMZ zone ( I assume it's already there)
1 for the remote users

Internal ACL's have access to all + Exchange server by new route

Remote Users only to smtp port 25 forward it to the IP of the exchange server.
0
 
LVL 13

Assisted Solution

by:hstiles
hstiles earned 400 total points
ID: 12045113
Whatever solution you choose, the more secure you want to make it, the more complex it will probably end up being.

I would prefer a VPN type solution to anything else simply because it would give you the greatest flexibility:

using the VPN approach you could:

set up OWA via VPN.  This would remove the need for SSL encryption
use Outlook as you would in the office just providing the exchange server name
use IMAP and SMTP - although unneccesary if you are VPNing in

Otherwise:

OWA but you would have to protect via SSL and preferably publish using ISA
IMAP over the internet
Outlook via RPC over HTTPS, but this would require a front end Exchange server even if you are using ISAS
0
 

Author Comment

by:aktivemofo
ID: 12049808
Hello,

Thankyou all for your suggestions.

Unfortunately, i could not convince my colleagues to consider a VPN.  It looks like we will have to use ISA Server and publish the resources as needed.

What is the best practice to install an ISA Server?  Does it HAVE to live in the DMZ? And if so, does the ISA Server software protect that actual machine - IE will it act as a desktop firewall for that particular box?  We do not have (and cannot afford) any firewalls.. we pretty much have software only.  If we did resolve to use ISA Server, would the setup be like this:

[INTERNET] --> [ROUTER] --> [ISA SERVER] --> [SWITCH] --> [INTERNAL LAN]

I think that the biggest problem i have is understanding where to put the ISA Server, and how many network cards does it need?  So many of the guides i have read says that you need 2 NICs in the ISA box.. one for internal and one for external?

Once again, any suggestions are welcome.

Thanks in advance.

-DEAN.
0
 
LVL 7

Expert Comment

by:gnegrota
ID: 12051972
The best practice is
                               _____             _______
---LAN(inside)--------/ ISA /----------| Router |----------->( ISP )
                              ^^^^              =====
                                  |
                                  | [dmz]
                               __|___
                             / Server/
                             ---------

In this case, ISA can be used to isolate the servers ( Web, Mail, etc.) , VPN access inside, firewall and filter .
0
 

Expert Comment

by:nishakash
ID: 12232634
Hi:

I have my Exchange server on the DMZ. When I use outllook 2003 , everything works fine.

BUT when I remove my server from DMZ, then outlook does not work and it gives the error message " Exchange server unavailable".

Please can any one help.  I have ports, 80,110,25,3389, 443 and 445 open already on the router.


Thanks
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question